Securing the job scheduler using roles

You can secure the job scheduler by mapping users and groups to specific security roles.

Before you begin

Users who are assigned the lradmin role have the authority to perform all job scheduler application actions on all jobs regardless of job ownership, while users who are assigned with the lrsubmitter role can only act on jobs that are owned by the submitters themselves.

Note: To start lrcmd.sh | .bat on an HTTPS port, you must configure SSL on the scheduler server. Following the steps in part three of the series, location in the following DeveloperWorks topic, Build Web services with transport-level security using Rational® Application Developer V7, Part 3: Configure HTTPS. In order to access topics, you must be a registered user for DeveloperWorks. If you have not registered as a user for DeveloperWorks, follow the instructions on the IBM® registration page.

If you use System Authorization Facility (SAF) EJBROLE profiles on the z/OS® operating system, define EJBROLE profiles for lradmin and lrsubmitter roles. Permit these roles to the appropriate SAF user IDs. Do not control permissions through the administration console as described in the following procedure.

About this task

This sample task assumes that the job scheduler is configured. You can use the administrative console to specific security roles.

Procedure

  1. [Updated in April 2012] Click Security > Global security. [Updated in April 2012]
    apr2012
  2. Select administrative security and application security.
  3. Configure User account repository by specifying one of the available realm definitions.
  4. After you have configured WebSphere® Application Server Security, click Apply to save your configuration.
  5. Expand System administration > Job scheduler > Security role to user/group mapping.
  6. Select the roles to be configured.
  7. Click Look up users if one or more users are to be assigned the target role, or click Look up groups if role assignment is at the group level.
  8. Select the user or group to be assigned to the target role.
  9. Click OK and save the configuration.
  10. Restart the cell.

What to do next

With security enabled, provide a valid user ID and password for job actions that are performed through the command- line interface. Submit a job action through the command-line interface with the user name and password information. See the following example:
<install_root>/bin/lrcmd.[bat|sh]  
-cmd=<name_of_command> <command_arguments> [-host=<host> -port=<port>] 
-userid=<user_ID> -password=<password>
where:
  • <host> is the job scheduler server host name. If not specified, the default is localhost.
  • <port> is the scheduler server HTTP (HTTPS) port. If not specified, the default is 80.
See the following example:
D:\IBM\WebSphere\AppServer\bin\lrcmd 
 -cmd=submit -xJCL=D:\IBM\WebSphere\AppServer\samples\Batch\postingSampleXJCL.xml
 -port=9445 -host=wasxd01.ibm.com -userid=mylradmin -password=w2g0u1tf



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 6, 2014 8:11:25 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-mp&topic=tgrid_bgsecur
File name: tgrid_bgsecur.html